Google Offers $250,000 for Full VM Escape Zero-Day Vulnerability

Home/Internet Security, Security Advisory, Security Update, vulnerability, Zero Day Attack/Google Offers $250,000 for Full VM Escape Zero-Day Vulnerability

Google Offers $250,000 for Full VM Escape Zero-Day Vulnerability

Google has launched kvmCTF, a new vulnerability reward program targeting the Kernel-based Virtual Machine (KVM) hypervisor.

Announced in October 2023, this initiative underscores Google’s commitment to securing key technologies like Linux and KVM, essential to products like Android and Google Cloud. KVM, with over 15 years of open-source development, is widely used in both consumer and enterprise settings.

Google, a key contributor to the KVM project, created kvmCTF to collaboratively identify and fix vulnerabilities, strengthening this vital security boundary. The program, akin to kernelCTF, focuses on zero-day vulnerabilities and previously unknown security flaws.

Participants in kvmCTF will have access to a lab environment to test their exploits and capture flags. The program excludes n-day vulnerabilities to prioritize new, unpatched ones. Details of discovered zero-day vulnerabilities will be shared with Google only after an upstream patch is released, ensuring Google and the open-source community receive the information simultaneously.

Reward Tiers and Participation

The kvmCTF program offers significant rewards for various vulnerabilities:

  • Full VM escape: $250,000
  • Arbitrary memory write: $100,000
  • Arbitrary memory read: $50,000
  • Relative memory write: $50,000
  • Denial of service: $20,000
  • Relative memory read: $10,000

To aid in discovering these vulnerabilities, kvmCTF provides an option to use a host with Kernel Address Sanitizer (KASAN) enabled, which helps identify memory errors.

Participants will work in a controlled environment with a bare metal host running a single guest VM. They can reserve time slots to access the guest VM and attempt guest-to-host attacks, focusing on exploiting zero-day vulnerabilities in the KVM subsystem of the host kernel. Successful attacks yield a flag as proof, with rewards based on the severity of the exploit.

To join kvmCTF, participants must read the rules, which cover reserving time slots, connecting to the guest VM, and obtaining flags. The rules also explain KASAN violation mappings to reward tiers and how to report vulnerabilities.

Google’s kvmCTF is a major step in securing open-source technologies. By offering substantial rewards for zero-day discoveries, Google aims to engage the global security community to enhance KVM hypervisor security, benefiting users worldwide.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-07-03T02:04:22+05:30 July 3rd, 2024|Internet Security, Security Advisory, Security Update, vulnerability, Zero Day Attack|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!